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CLAIMS 



I claim: 

1. \a method for key management, comprising: 
merating a set of encrypted bits at a 



securit 



server; 



transmitting said set of encrypted bits from 
said seciirity server to an application server ; 

broadcasting said set of encrypted bits from 
said application server to a plurality of 
recipients \ said set of encrypted bits comprising 
inf ormation\ f or generating a set of 
encryption/decryption bits ; 

transmitting said set of encrypted bits from 
a first recipient t^p said security server; 

authenticating^ ^a^fd first recipient at said 
security server,\ 

transmitting a ^Lrst set of bits from said 
security server t& sai>d first recipient if said 
first recipient is\ authenticated, said first set 
of bits being a subset of said set of encrypted 
bits in decrypted form and comprising information 
for generating a set\ of encryption bits; 

generating said set of encryption bits at 
said first recipient f^irom said first set of bits; 

encrypting a data \stream at said first 
recipient using said set of encryption bits to 
form a first encrypted d^ta stream; and 

broadcasting said first encrypted data stream 
from said first recipient\ with said set of 
encrypted bits to a plurality °f receivers 



The method of Claim 1, wherein said set of 
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encrypted bits [further comprises information selected 
from the group Ico^isting of a policy, a message 
digest, and a dare and time stamp. 




The method of Claim 2, wherein said policy 
cdmpiMses information selected from the group 
consisting of security levels of said recipients and 
classification of said data stream. 



4. Tt\e method of Claim 1, wherein said 
authenticating comprises : 

establishing a private access line ("PAL") 
between sanid security server and said first 
recipient, \comprising: 

transmitting an identification of said 
first recipient to said security server; 

decrypting said set of encrypted bits at 
said security server to obtain access 
information; and 

compariVig said identification to said 
access information to establish 
authentication^ when said identification 
matches said access information. 



5. The method of Claiin 1, further comprising: 

transmitting said sVt of encrypted bits from 
a first receiver to said Security servers- 
authenticating said f^rst receiver at said 
security servers- 
transmitting a second s&t of bits from said 
security server to said first Veceiver if said 
first receiver is authenticated^ said second set 
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of bits being a subset of said set of encrypted 
bits jtai decrypted form and comprising information 
for generating a set of decryption bits; 

generating at said first receiver said set of 
decryption bits from said second set of bits; and 

decrypting said first encrypted data stream 
using said\ set of decryption bits at said first 
receiver . 



10 6. The method of Claim 1, wherein said 

broadcasting said ^irst encrypted data stream further 
| a ,S( comprises: 

dividing sal\id first encrypted data stream 
into a plurality \pf data sections; and 

gji 15 attaching said set of encrypted bits to each 

of said data sections, each said data section 
having a corresponding offset value, said offset 
S value is an offset between the starting address of 

i said first encrypted data stream and the starting 

5 20 address of said data section. 



25 



7. The method of Claim 1, wherein said 
application server\ comprises a memory for storing said 
set of encrypted biVs and a corresponding set of bits 
containing said information for generating a set of 
encrypt ion/decrypt i 



8 . The method 
comparing said set 
30 sets of encrypted b 



\ 





aim 7 , further comprising 
ypted bits to a plurality of 
said memory. 



The method of Claim 8, further comprising 



-23- 



M-7190 US 
478096 v2 



returning a^set of bits corresponding to a stored set 
of encrypted bits from said memory if said set of 
encrypted bi\s matches said stored set of encrypted 
bits . 



10. The method of Claim 8, wherein said set of 
encrypted bits I fails to match any of said stored set of 
encrypted bits tin said memory, further comprising: 

transmitting an identification of said first 
receiver to said security server; 

decrypting said set of encrypted bits at said 
security server to obtain access information; and 

compardlng said identification of said 
receiver to said access information to establish 
authentication when said identification matches 
said access information. 



11. The methop of Claim 10, further comprising 
storing said set of \encrypted bits and said 
corresponding set of\ bits containing said information 
for generating a set \of encrypt io'n/decrypt ion bits in 
said memory subsequent to said authentication. 



12. The method on Claim 11, further comprising 
deleting a least recently used set of encrypted bits 
and its corresponding sqt of bits from said memory when 
said memory is full. 



13. The method of Claim 1, further comprising 
broadcasting said first encrypted data stream in 
datagram packets, wherein said set of encrypted bits is 
attached to each of said datagram packets. 



id da^a 
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14. The^ method of Claim 1, further comprising: 

appending said set of encrypted bits to said 
first encrypted data stream; and 

L 

transmitting a second encrypted data stream 
from said first receiver to said first recipient, 
wherein a second set of encrypted bits is appended 
to said seqond encrypted data stream. 



as? 



10 



15 



15. A method for synchronizing keys for streaming 
media, comprising; 

dividing an encrypted data stream into a 
plurality of \ encrypted data sections; 

generating an offset value for each encrypted 
data sections \ said offset value being an offset 
between the starting address of said encrypted 
data stream and the starting address of said 
encrypted data Section; 



20 



attaching a^ 
offset value to 
sections to form 



set 
ach 



Encrypted bits and said 
said encrypted data 
ita stream; and 



broadcasting 1 said data stream. 



16. A method for opening a seal, wherein said 
25 seal comprises a set of encrypted bits comprising 
information for generating! a set of 
encryption/decryption bits A comprising: 

providing a client having a memory for 
storing previously opened seals and their 
30 corresponding permits, each of said permits being 

a subset of a corresponding seal and containing 
information for generating said set of 
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encryption/decryption bits; 

transmitting said seal from a security server 
to said client; and 

comparing said seal to said previously opened 
seals in I said memory. 



y 

!=3 
UJ 



17. The Imethod of Claim 16, further comprising 
returning a peprmit corresponding to a first previously 
opened seal from said memory if said seal matches said 

10 first previously opened seal. 

18. The method of Claim 16, further comprising: 

transmitting said seal and an identification 
from said client to said security server if said 
15 seal fails no match any of said previously opened 

seals in saik memory; 

decrypting said seal at said security server 
to obtain access information; and 

comparing \said identification with said 
20 access information to obtain authentication if 

said identification matches said access 
information . 



19. The method of Claim 18, further comprising 
25 storing said seal and iits corresponding permit in said 
memory if said client is authenticated. 



30 



20. The method of alaim 19, further comprising 
deleting a least recently! used previously opened seal 
and its corresponding pern\Lt when said memory is full 
prior to said storing. 
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2lA A method for key synchronization, comprising 
transmitting a plurality of datagram packets from a 
first paAty to a second party, each datagram packet 
having a seal attached, said seal being a set of 
encrypted pits comprising information for generating a 
set of encryption/decryption bits. 
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22. A\ method for key exchange and synchronization 
10 over a duplex channel, comprising: 

transmitting a first encrypted data stream 
having k first seal appended to the head of said 
first encrypted data stream from a first party to 
a second partV, sazua first seal being a first set 
15 of encrypted! bYts Comprising information for 

generating a\ f i^st set of encryption/decryption 
bits; and\ 

trans\nicuing la second encrypted data stream 
having a s^corid seal appended to the head of said 
20 second data\ stream from said second party to said 

first partyA said second seal being a second set 
of encryptedA bits comprising information for 
generating a ^econd set of encryption/decryption 
bits . 

25 

23. The method\ of Claim 22, further comprising: 

transmitting said first seal from said second 
party to a security server; 

authenticating said second party at said 
30 security server; land 

transmitting a first permit from said 
security server to said second party if said 
second party is authenticated, said first permit 
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beingl a subset of said first seal, in decrypted 
form, ^and containing information for 
encrypting/decrypting said first encrypted data 
stream . 



24. The aha^h^d\ of Claim 23, further comprising: 

genenaUing a first set of decryption bits at 
said seconii party; and 

decrypting said first encrypted data stream 
10 at said second party using said first set of 

decryption bits. 



5\ The method of Claim 24, further comprising: 




ijj \ \ transmitting said second seal from said first 

15 party to said\ security server; 

J5 \ 

« authenticating said first party at said 

security servery and 

transmitting a second permit from said 
jig security server no said first party if said first 

*y 20 party is authenticated, said second permit being a 

subset of said second seal, in decrypted form, and 
containing information for encrypting/decrypting 
said second encrypted data stream. 



25 26. The method of Claim 25, further comprising: 

generating a second^ set of decryption bits at 
said first party; and 

decrypting said secor^d encrypted data stream 
at said first party using s^aid second set of 
30 decryption bits. 
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